Recently, the Association of German Data Protection Authorities (“Datenschutzkonferenz” or “DSK”) issued guidelines setting a GDPR fining methodology (“Fining Methodology”). GDPR enforcement across the EU has picked up over the past year. This Fining Methodology has been issued at the time of a significant increase in GDPR enforcement action across the EU. The European Data Protection Board (“EDPB”) reported a total of 281,088 national enforcement actions being initiated as of May 22, 2019 (approximately one year after the GDPR’s entry into application). Since then, data protection authorities across the EU have been initiating enforcement and fines on a daily basis. In particular, in the UK, the Information Commissioner’s Office (“ICO”) has issued two notices of intention to fine of €114m and €215m for failure to implement appropriate data security measures.
Authorities are not focusing solely on large or (data-rich) companies in specific industries, as may have been expected. Instead, they have been taking an aggressive approach to GDPR non-compliance in relation to companies of varying degrees of size and a broad range of industries, including enforcing in situations where there has been no actual loss of personal data (e.g. in the case of a data breach) or harm to individuals. So, for example, a number of fines have recently been imposed against businesses retaining data on systems for longer than is necessary in contravention of the GDPR’s data minimization and data storage principles. This includes a fine of €400,000 against a public housing company in France, a €14.5m fine against a real estate company in Germany, a kr. 1.5m fine against a furniture manufacturer in Denmark and a kr. 1.2m fine against a taxi company in Denmark.
Data protection authorities have now also started to formalize how they will be imposing fines. The UK ICO issues ‘intentions to fine’ after which companies subject of the enforcement can make representations in an attempt to reduce the fine. In addition, the Dutch data protection authority had already come out with its fining methodology and most recently, the German DSK has adopted a methodology of its own as well. Without pan-EU guidance from the EDPB, national data protection authorities in the EU are adopting their own fining methodologies and are beginning to apply this in their enforcement actions. The German DSK Fining Methodology in particular takes an aggressive stance with respect to fining due to the high thresholds put forward in the methodology. These new GDPR fining methodologies will likely lead to fines ranging around the maximum thresholds foreseen in the GDPR (up to 4% of global annual turnover).
The DSK’s Fining Methodology is complex, and provides for a five-step process to follow when determining the amount of an administrative fine.
Step 1: the undertaking subject of enforcement is categorized depending on its turnover in the preceding year. The concept of ‘undertaking’ is interpreted in accordance with the meaning of an ‘undertaking’ under EU competition law, and may comprise more group entities than just the entity that has committed or is involved in the infringement. The involvement of an entity is triggered when it exercises ‘decisive influence’. For example, a parent company is presumed to exercise decisive control over its wholly owned subsidiary. The blanket transposition of this concept into EU data protection law, however, significantly increases annual turnover and basis for a fine.
Step 2: the undertaking is allocated an annual average turnover amount in accordance with the category set in step 1.
Step 3: the undertaking’s ‘economic base value’ or daily average turnover amount is calculated by dividing the amount under Step 2 by 360. This daily amount will ultimately serve as the basis of the fine. Note that the actual turnover of an undertaking is only taken into account when the annual turnover exceeds €500m. In this case, the fine may amount to a given percentage (2-4%) of actual turnover.
Step 4: the base value is multiplied with a factor between 1 and 12 to reflect the gravity of the infringement.
Step 5: additional mitigating or aggravating factors are taken into consideration (to the extent these have not yet been taken into account under Step 4). These may include the degree of cooperation with the authority, the intentional or negligent character of the infringement, and the nature of the personal data and scope of the processing involved.
The Fining Methodology provides for detailed tables to determine the basic amount of the fines (as provided for in Step 1-3). These show that the lowest possible fine for a company with an actual annual turnover between €200-300m is €694,444 for minor infringements without any aggravating circumstances.
Recent Enforcement Action Using DSK Fining Methodology
German data protection authorities have already started to apply the DSK Fining Methodology. In particular, the Berlin data protection authority recently issued a fine of €14.5m fine using the five-step process outlined above. The case related to excessive data retention by a real estate company and a failure to implement the privacy-by-design principle (press release in German is available here). Importantly, the Berlin authority accepted certain mitigating factors, including the company’s due cooperation with the authority, and the measures that it had taken to remedy the infringement and so reduced the original fine of €28m.
The EDPB, tasked with ensuring the consistent application of the GDPR throughout the EU, is expected to adopt a harmonizing fining methodology but no timeline has been made available for this effort. Until then, the DSK Fining Methodology and methodologies of other national authorities remain valid and are likely to lead to significant GDPR fines in the future.
In the meantime, companies should consider reviewing their GDPR programs to check they are in line with GDPR requirements and follow GDPR enforcement actions. In addition, companies with cross-border processing activities should consider how the GDPR’s one-stop-shop mechanism may apply to them, including identification of a lead data protection authority.